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Abstract 

In this paper we determined explicitly the multiplicative inverses of the Dobbertin and 
^ | | Welch APN exponents in Zy-i, and we described the binary weights of the inverses of 

the Gold and Kasami exponents. We studied the function Inv £ /(«), which for a fixed 
positive integer d maps integers n > 1 to the least positive residue of the inverse of d 
modulo 2" - 1, if it exists. In particular, we showed that the function Inv^ is completely 
determined by its values for 1 < « < . where 8j is the order of 2 modulo the largest 
odd divisor of if Q 
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1. Introduction 

co . 

A mapping / : F 2 » — » F 2 » is called almost perfect nonlinear (APN) if for every non-zero 
a e F 2 » the sets 

{f(x + a) + f(x) : *€F 2 „} 

contain exactly 2" _1 elements. When n is odd, a mapping / is called almost bent (AB) if 
' for every a # 0, f3 e F 2 » 

b : X {-lf KaFix)+px) e {0, +2^}, 

where Tr is the absolute trace on F 2 ». Every AB mapping is APN, but not vice versa. 
APN and AB mappings have various applications in cryptology, coding theory and com- 
binatorics 0,0, Hull. 

Every mapping / of F 2 » has a unique univariate polynomial representation over F 2 » of 
degree not exceeding 2" - 1 . With respect to a fixed F 2 -basis of F 2 .> , the mapping / has a 
unique multivariate representation over F 2 » such that its degree in every single variable is 



1 The first part of this work is an extended version of the results presented in ISIT12 
Preprint submitted to Elsevier 



less than 2. This multivariate polynomial representation is basis dependent. However its 
total degree does not depend on the basis choice, and it is called the algebraic degree of 
the mapping /. The algebraic degree of a mapping can be computed from its univariate 
polynomial representation: Recall that the binary weight of a nonncgative integer d is 
the sum of the digits in its binary representation, i.e. if d — YJi = adi2 l with < d; < 1, 
then the binary weight of d is wt(d) — 2;=o d, e Z. The algebraic degree of the mapping 
fix) — 2&=o a k% k on Fyi is equal to max^Q^ofwt^)}. In particular, a monomial mapping 
given byxHi^ with 1 < x < 2" - 2 has algebraic degree equal to wt{d). 

When studying a special class of mappings of finite fields, one of the main questions to 
be answered is: What are the properties of polynomials describing this class of mappings? 
This question is widely open for AB/APN mappings. Even a much weaker question, what 
are the possible degrees for univariate or multivariate representations of APN mappings, 
is one of the open challenges in this research area. It is known that the algebraic degree 
of AB mappings does not exceed ^ 0). 

The two best understood classes of APN mappings are the so-called quadratic and 
monomial ones. The univariate representation of a quadratic mapping contains only 
terms with exponents of binary weight less or equal to 2, i.e. it is of the shape £y bijx 2 ' +2 ' 
e Fy [x] . The monomial mappings are those of shape x i— > x d with a fixed integer 1 < d < 
2" -2. An integer 1 < d < 2" - 2 is called APN exponent on Fy if the corresponding 
monomial mapping x i-> xr is APN on F2» . All currently known APN exponents can be 
obtained from the ones listed below: 





Exponents d 


Conditions 




Gold 


2 k + 1 


gcd(fc,n) = 1, 


APN 






1 <k<t 


AB if n is odd 


Kasami 


2 2k - 2 k + 1 


gcd(k, n) — 1 


APN 






2 < k < t 


AB if n is odd 


Welch 


2' + 3 


n = 2t+\ 


APN/AB 


Niho 


2' + 2 2 - 1 if t is even 


n = 2t+\ 


APN/AB 




2* + 2^ - 1 if / is odd 






inverse 


2 Z >- 1 


n = 2t+\ 


APN 


Dobbcrtin 


2 4 ' + 2 ir + 2 U + 2' - 1 


n-5t 


APN 



Table 1: Exponents defining APN/AB monomial mappings on Fi" 



It is easy to prove that if d is an APN exponent then also 2 ■ d (mod 2" - 1) is so, as 
well as the inverse d~ l of d modulo 2" - 1 if it exists. While the multiplication of an APN 
exponent d by 2 is a fairly easy operation, a better understanding of the inverse of d will 
yield more insights on APN mappings. It is well known that an APN exponent on F2» 
is invertible in l^-x if and only if n is odd. In 1(J U| the inverses of Gold's and Niho's 
exponents were considered. In this paper we continue this study. In particular, we find 
explicit formulas for the inverses of Welch's and Dobbertin's exponents (see Theorem 
2.41 and 12.11 respectively) and obtain some partial results on the inverses of Gold's and 
Kasami's exponents (see Theorem l3.7l and l3.12l respectivelv for the main results). Further 
we study also the inverses of some other interesting classes of exponents. 

When studying inverses of APN exponents d on Fy , two cases must be distinguished: 
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• d depends on n (Dobbertin's, Niho's, Welch's exponents and the field inverse) 

• a fixed d is an APN exponent on F2» for infinitely many n (Gold's and Kasami's 
exponents) . 

It appears that the study of the latter exponents is more difficult than the study 
of the exponents of the first type. The exponents d defining APN mappings on F2» for 
infinitely many n are called exceptional APN exponents jij. In Q, it is shown that Gold's 
and Kasami's exponents are the only exceptional APN ones. Finding the inverses of 
exceptional APN exponents is an instance of the following general problem: Let d > 1 be 
a fixed integer and define = [n e N : gcd(c/, 2" - 1) = 1}. How explicit can we describe 
the function Inv,/ : — > N, which maps n to the least positive integer describing the 
inverse of d modulo 2" - 1? We show that the function Inv,; is completely determined 
by its values for 1 < n < 9 C {', where 0d' is the order of 2 modulo the largest odd divisor 
of d. This dependence is given in Theorem [XU Based on properties of Inv^ we propose 
Algorithm [T] for inversion in Z2»_i, which may be of interest for some special applications. 

2. Inverses of APN exponents d on F2», when d depends on n 

After having the conjectural modular inverse for a given integer, usually the correct- 
ness of it follows from easy calculations. Hence the main difficulty in finding inverses is 
to guess them. For a generic integer d we cannot of course expect to be able to guess its 
inverse modulo 2" — 1. However, if the binary representation of the integer d has a nice 
combinatorial pattern, then the binary representation of its modulo 2" — 1 inverse does 
not look random either, and therefore the problem could be solvable. Since the binary 
representations of the APN exponents listed in Table [T] are far from being random, find- 
ing their inverses explicitly is probably possible. Having this idea in mind we performed 
numerical experiments, which led to the formulas for Dobbertin's and Welch's exponents 
described below. 

2.1. Dobbertin's exponent 

Theorem 2.1. Let k > 1 be an odd integer. The least positive residue of the inverse of 
d = 2 4k + 2 3k + 2 2k + 2 k -l modulo 2 5k - 1 is 

1 

Furthermore, 

2-t 

showing that wt(t) = . 
Proof. Set A := ■ ^=1. Then 

2 k -A=A (mod2 5A -l). 



2 5 *-l 2 k+[ - 1 
2 k - 1 3 



,<=o j=o , 
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Observe that d = |j— i - 2. Hence 



d; , 5 <3,4-<,> = 5 (— <2«-i>- — + 2 
" 5(^T' (2,, '- 2) + 2 

= 1 (mod 2 5k - 1). 

Clearly, f < 2 5t - 1 and thus f is indeed the least positive residue of the inverse of d modulo 
2 5k -l. □ 

By Theorem 12.11 the inverse of Dobbertin exponent defines an APN mapping on F2» 
with algebraic degree exceeding (n + l)/2. The only previously known such example 
was the inverse mapping, with algebraic degree n — 1 . This observation shows also that 
the monomial mappings defined by Dobbertin's exponents and their inverses are not AB, 
which was originally proved in Q by exploiting the divisibility properties of corresponding 
codes. 

Corollary 1. The monomial mappings with Dobbertin's exponents and their inverses are 
not AB. 

2.2. Niho's exponents 

For the sake of the completeness, we give here the explicit inverses of Niho's exponents 
which were found in ll|. For n = 2m + 1, Niho's exponent d has the shape 



2"' +27-1 if m is even 
2 m +2 22 r 1 -l if mis odd, 



d = 

or equivalently, with k > 1 , 

j 2 2k + 2 k -I \im = 2k 

d -\2 3k+2 + 2 2M -I ifm = 2*+l. 

The inverses for Niho exponents depend on n (mod 8) as the next theorem shows. 

Theorem 2.2. (a) Let n = 4k + 1 and d = 2 2k + 2 k - 1 be the Niho exponent. Set t to 
denote the least positive residue of the inverse of d modulo 2" — 1 . Then 

• if k is even, i.e. if n = 1 (mod 8), 

t=?-p-(2 3k+l +2 k+l + l) + 2 k +2 lk+i . (1) 

• if k is odd, i.e. if n =5 (mod 8). 

t = 2 *~' " 1 (2 3k+2 + 2 2k+2 + l) + 2 M+1 + 2 2k+l +2 k - 1 . (2) 
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In particular, 

( 2"+5 if n = \ (mod 8) 
wt(t) = \ 

{ i/ni5 (mod 8). 

(b) Lei « = 4A: + 3 and d — 2 3k+2 + 2 2+1 — 1 be the Niho exponent. Set t to denote the 
least positive residue of the inverse of d modulo 2" — 1 . Then 



if k is even, i.e. if n = 3 (mod 8), 



3 

• if k is odd, i.e. if n = l (mod 8) 



t = (2 3M + 2 k+2 + 2} + 2 M+3 + 2 k+1 . (3) 



t=- i(2 3k+3 +2 2k+3 +2) + 2 2k+2 . (4) 



In particular, 

22±Z j/ n = 3 (mod 8) 

wt(f) = \ 

if n = l (mod 8). 



3/i+H 
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Proof. We prove only the first statement of part (a) , since the remaining cases follow by 
similar arguments. 



• Let n — Ak + 1 and k be even. Then 



d-t = (2 2k + 2 k -\) 



p_J.( 2 3* +1 + 2* +1 + l) + 2* + 2 3 * +1 l 



2 k - 1 



3 

2 

2 A - 1 



( 2 5 * +1 + 2 4k+1 - 2 3k+l + 2 3k+l + 2 2k+l - 2 k+l + 2 2k + 2 k -l) 



+2 3k + 2 2k -2 k + 2 5k+l + 2 4k+l - 2 3k+l 
(2 2k+x +2 2k )-2 3k + 2 2k + \ 



3 

= (2 k - l)2 2t - 2 3k + 2 2 * + 1 
= 1 (mod 2 4k+l - 1). 



It remains to note that wt(f) = 2 + 3 • wt (3^) - 1 = 1 + 3 • ^ = ^p, since 

? k — 1 9* - 1 /9* — 1 

f=- i + 2 A ' + 2 i+1 -= i + 2 3i+2 + 2 3,:+1 



and 



Z 2 * 



/=() 



□ 
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2.3. Welch's exponent 

Let v be a nonnegative integer with binary representation v = 2w=d v '2' where v r _i / 0. 
If r' > r, we say that 



is the sequence of length r' representing the integer v. Two sequences a T -\ ...oq and 
b r -\ . ..bo are called complementary if a-, = bj + 1 (mod 2) for all < i < r - 1. For 
a sequence a, we denote by a its complementary sequence. Note that if a sequence 
a — a r -\ . . .flo represents the integer a, then its complementary sequence a represents the 
integer 2 r - 1 - a. This follows from the fact that the sequence 1 1 ... 1 represents the 



integer 2 r — 1. For two sequences a and b, we denote by a\b their concatenation. 

Lemma 2.3. Let s > 2 and < u < 2 s be integers. Then the binary representation of 
length 2s of the integer (2 s — 1) • u is w\w , where w is the sequence of length s representing 
the integer u — 1 and w is the complement of the binary sequence w and represents the 
integer 2 s — u. In particular, the binary weight of the integer (2 s — 1) • u is s. 

Proof. The statement of the lemma follows from the observation that (2 s - 1) • u — (u - 
1) • 2 s + {2 s - u). Moreover, the binary representation of the length s of 2 s - u is the 
complement of that of u — 1, since (2 s - u) + (u - 1) = 2 s - 1. □ 

Theorem 2.4. Let n — 2k + 1. The least positive residue t of the inverse of Welch's 
exponent 2 k + 3 modulo 2 2k+l — 1 is: 

• lfk = (mod 8) then 



00. . .0 v r _i . . . vi vq 



r'-r 



r 




with binary weight k + 1 . 



• Ifk = 1 (mod 8) then 




with binary weight k + 1 . 



• If k = 2 (mod 8) then 



2' 



k-2 



1 




with binary weight k. 



• If k = 3 (mod 8) then 




with binary weight k. 



G 



• Ifk = 4 (mod 8) then 

t = 2 k - 4 + 2 k - 2 + 2 k - 1 + 2 k+4 + 2 *~ 4 " 1 (9 • 2 k+s + 3) 

17 v ' 

with binary weight k. 

• Ifk = 5 (mod 8) then 

f = 1 + 2" + 2 k - 1 +2 k + 2 k+l + — — (2 k+6 + 12) 

17 v 1 

with binary weight k. 

• If k = 6 (mod 8) then 

t = 2 k - 5 + 2 k - A + 2 k - 2 + 2 k+3 + 2 M 

+ 2 k+5 + 2 k+6 + 2 6-1 ( 16 • 2 k+1 + 10) 
17 v ' 

with binary weight k + 1 . 

• If k = l (mod 8) then 

t = 2 k - 5 + 2 k - 4 + 2 A '- 3 + 2 k - 2 + 2 k+1 + 2 k+1 

+ 2 k+4 + 2 k+1 + ?—± (io . 2 k+& + 4) 
17 v ' 

with binary weight k + 1 . 

Proof. We only need to verify that (2 k + 3) ■ t = 1 (mod 2 2k+l - 1), since obviously all 
listed integers t are smaller than 2 2k+l — 1. We do this verification for k = 4 (mod 8), the 
remaining cases are similar. Thus, let k = 4 (mod 8) and consider 

(2 k + 3) • + 2 k - 2 + 2 k - 1 + 2 k+4 + ^ 1 (9 • 2 k+5 + 3)J (mod 2 2k+1 - 1). (5) 

Observe that 

(2 k + 3) ■ (9 • 2 k+5 + 3) = 17 • (9 + 3 • 17 ■ 2 k ) (mod 2 2k+l - 1), 
and therefore ([5]) reduces to 

(2* + 3) • (2 k - 4 + 2 k - 2 + 2 k - 1 + 2 k+4 ) + (2 k - 4 - 1) • (9 + 3 • 17 • 2 k ) = 
(2 k + 2 + 1) (2 k - 4 + 2 k - 2 + 2 k - 1 + 2 k+4 ) + (2 k - 4 - 1)(2 3 + 1 + 2 k+5 + 2 k+4 + 2 k+l + 2 k ) 

_ 2 2A-4 + 2 2k-2 + 2 2k-i + 2 3 + jk-l + 2 *-l + 2 * + 2 * + 5 + 2 *-4 + ^-2 + tf-X + 2 * + 4 + 
2 H + 2 *-4 + j + 2 2* + 2 2*-3 + 2 2<:-4 _ 2 3 _ j _ 2 * + 5 _ 2 A- + 4 _ 2 * + l _ 2 * = 
2 2*-4 + 2 2A-2 + 2 2A-1 + ^3 + _ 2 * + 2 A-4 + 2 *-2 + 2 *-4 + 2 2A + ^-3 + 2 2A-4 = 

2 2A + 2 2A-1 + 2 2A-2 + 2 2A-3 + 2 . 2 2A-4 _ 2^ + 2^ 1 + 2^ 2 + 2^ 3 + 2 • 2^ 4 = 

1 (mod 2 2k+l - 1). 
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To complete the proof it remains to show that the binary weight of t — 2 k 4 + 2 k 2 + 2 k 1 + 
2 M + (9 • 2 k+5 + 3) is k. Wc firstly compute the binary weight of 

9&-4 _ 1 9/1-4 _ 1 

i_i (9-2^+3) = l^-i(2 4 -l)(9-2^ + 3) 

= (2 4 -l)(9-2 A+5 + 3) J] 2 % j 

j=o 

= 3(2 4 - 1) 2 8 ;' + 9(2 4 2 8/+1 . 

7=0 ;=*±i 

Note that the integers 3 and 9 are less than 2 4 , so Lemma [2.31 implies that the binary 
weight of both integers 3(2 4 - 1) £ J Q l 2 S J and 9(2 4 - 1) 2 8,+1 is 4 ■ ^ = ^. Thus 

the binary weight of / is 2 ■ ^ + 4 = k. □ 

Remark 1. The crucial step for guessing the inverses t of Welch's exponent was the 
observation that t satisfies certain recurrence relations. For instance, we take n — 2k + 1 
with k = (mod 8). Set k — 8r with r > 0. Suppose t r is the binary sequence of length 
n = 16r+l representing the least positive residue of the inverse of Welch's exponent 2 8r + 3 
modulo 2" - 1 . Then for every r > 1 

t r = 11000011 1 1 01 10 1001 

holds and fo = 1. 



3. Inverses of a fixed integer d modulo all 2" — 1 

In the previous section we described the inverses for Dobbertin's, Niho's and Welch's 
exponents, and herewith it remains to find the inverses for Gold's and Kasami's expo- 
nents to have all presently known APN exponents explicitly. A fixed Gold's or Kasami's 
exponent defines an APN mapping on infinitely many finite fields and therefore we aim 
finding the inverses of a fixed integer modulo infinitely many 2" — 1. For example, Gold's 
exponents 3 and Kasami's exponent 13 define bijectivc monomial APN mappings on F^- 
with any n odd. Hence wc want to find inverses of 3 and 13 modulo all 2" — 1 where 
n is odd. Motivated by this observation, in the next subsection we study the following 
general problem: For a given fixed integer d > 1, let = fn e N : gcd(rf, 2" - 1) = 1}. 
What can we say about the function Inv^ : Nd — > N, whose output for n is the least 
positive integer describing the inverse of d modulo 2" - 1 ? Most of the results of the next 
subsection can be directly generalized for modulo p" — 1, where p is a prime number. 

3.1. General case 

Definition 1. Let a! be a fixed positive integer. For a positive integer n satisfying 
gcd(af, 2" - 1) = 1, set Inv^n) be the least positive residue of the inverse of d modulo 
2" - 1 , that is the integer Inv^ («) is defined by 



< Inv rf (n) < 2" - 1 and d ■ Invj («) = 1 (mod 2" - 1). 
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In the rest of this section we assume, without loss of generality, that the fixed number 
d is odd. Indeed, if d\ — 2" ■ d with u > then the study of the function Inv^, may be 
reduced to the one of Inv</ using 

Inv dl («) = 2"-"Inv d (n) (mod 2" - 1). 

Let d > 3 and Gd be the (multiplicative) order of 2 modulo d, that is Gd is the least 
positive integer o such that 2" = 1 (mod d). We set G\ = 0. The next results show that in 
the study of the function Inv^ the magnitude 6 a plays an important role: [Gd /2J many 
values of the function Inv^ completely determine it. 

The following proposition shows that if Inv,/ (r) is known for some 1 < r < Gd — 1 , then 
it yields the value of Inv,/ (Gd - r). 

Proposition 3.1. Let I < r < 8 d - 1 and gcd(J,2 r - 1) = 1. Then gcd(d , 2 flrf ~ r - 1) = 1 
and 

(d+l - lnv f } f- l )(2 e '-' -1) + 1 
Inv d (6 d - r) = X - . (6) 

Proof. Note that gcd(<f, 2 " ~ r - 1) = 1, since 2 r ■ (2 e "- r - 1) = 2 e " - 1 - (2 r - 1). Set t be the 
rational number at the right hand side of (|6]), i.e. 

(d+l- Inv ^ (r) 1 d " 1 )(2^- r -l) + l 
f:= — ' 

First we show that t is an integer, or equivalently that 

rf+1 _ WrW-l j g ^_ 1) + 1 

is divisible by c/. Since gcd(ii, 2 r - 1) = 1, it is enough to show that 

(r _ 1} //j _ lnv,(r). rf-l \ (2flrf _ r _ \ Q (mod , x 



2 r - 1 

which in its turn reduces to 

(2 r - l)2 e ''- r - (Inv d (r)-d - 1)(2 9 ^'' - 1) = (mod d). 

The left hand side of the latter congruence is 

2 e " - \-lw d {r)-d-[2 Bd - r -\), 

which is divisible by d by the definition of 0d ■ 

Finally it is easy to see that t-d= \ (mod 2 e ''' r - 1) and 1 < t < 2 fl <'~'' - 1. 

The following identity is obtained directly from 
Corollary 2. Let 1 < r < 6 d - 1 with gcd(d,2 r - 1) = 1. Then 
d ■ Inv,, (Gd - r) - 1 Inv d (r) ■ d - I 

2^1 + 2>-l =d+h (7) 



□ 



The next theorem is the main result of this section. It shows that the value of Inv^ («) 
can be computed from Inv^ (r) where r is the least positive residue of n modulo . We 
give three different expressions for this dependence, each of them appears to be more 
convenient for a certain situation. Observe that Theorem 13.21 implies in particular that 
in order to determine values of the inverses of d modulo all 2" - 1 it is enough to compute 
only finitely many of them. 

Theorem 3.2. Let n > 1 with gcd(c/, 2" - 1) = 1 and 1 < r < Q d — 1 such that n = r 
(mod 6 d ). Then 



(a) 



(b) 



Inv d («) = Inv d (r) • £ 2 e « 4 + (2 e « ~ r - 1 - Inv d {9 d - rj) Y J] 2 fl " (9) 

i=0 i=0 

where m = Equivalently, 

j6d<m+\) _y 2 e ' rm — 1 

Inv rf (n) = Inv rf (r) ■ _ - + (2 fl " ~ r - 1 - Inv rf (6 d - r)j 2 r ■ . 



(c) 



Inv d (r)(2"-l)-2!=2: 
Inv,i («) = 



2 r - 1 
Proof, (a) Set 

Clearly, f is a positive integer, since 2 r - 1 divides d-Inv c i (r)-l and of divides 2* _r ~l. Next 
we show that t < 2" — 1. Note that Inv^ (r) < 2'" - 2, since otherwise Inv^ (r) = 2 r - 2 = d, 
which contradicts the assumption that d is odd. Hence we have 

Invrf(r) < 2 r -2 => 

d-Inv d (r) < d-{2'-2) => 

d-lnv d (f)-\ < d-{2 r -\)-{d+\) => 
(<Mnv t/ (r)-l)(2"-l) (t/+l)(2"-l) ^ 

2 r - 1 2 r - 1 

(<Mnv d (r)-l)(2"-l) 



2 r - 1 

(£/-Inv rf (r)-l)(2"-l) 
2 r - 1 



1 < (2"~l)-d~(d+l) + l 
1 < (2" -!)■£/ ^> 



(2"-20- d ' I !! d ? ^ (rf-Inv^D-D + l < (2» -!)■<*. 
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It remains to observe that the left hand side of the last inequality is 

i2 n_ 2 r } . d-^(r)-l +{d , InVd(r) _ 1) + 1 = 

2- (d • inv, (r) - 1) + (2~ - 1) d ' ^ ~ 1 + 1 = 

2"-" - * - inv, (r) + (2- - l) ^ 1 ^- 1 - l) = * • 4 

proving that indeed t < 2" — 1. 

To complete the proof we must show that f is the inverse of d modulo 2" - 1 . From 
the above observation, we have 

t-d = (2--20- rf ' I 7_ ( ; ) " 1 + (<Mnv,(r)-l) + l 

= (y _ 1) . rf-lnv,(r)-l _ (y _ 1)- rf-lny << (r)-l +(rf-invrf(r) _ 1)+1 



2 r - 1 
= 1 (mod 2" - 1). 



2 r - 1 



(b) Set 



Then Corollary [5] shows that 



S d (n) = 



c/ • Inv^ («) - 1 
2" - 1 ' 



S d (r) + S d (6 d -r)=d+l. 



Multiplying © by d, we have 



H-l \ 



Inv, (r) J] 2 8 ' + (2 fl " " r - 1 - Inv d - r)) 2'' • £ 2 Srf 

i=0 

m 

= (S rf (r)(2'-l)+l)^2 erf "' 

1=0 

+ 2 r ■ </ (2 e "- r - 1) - 2'' (S d (8 d - r)(2 e "- r - 1) + 2 

m m 

= S d (r)(2 r -l)£2 e " i + £2 ( ^ 
i=0 (=0 

+ (2 r (2 fl "-'' - 1) (</ - S d (0,/ - r)) - T) J] 2 fl " "' 



i=0 



m— 1 



n-1 \ 



(2" - 1) + (2'' - 2 e " ) • ^ 2 fl " + 1 + 2"" J] 2 fl " ■'' 



i=0 



i=0 



m- 1 



+ (2'(2 e ^ - 1) (d - S d (9 d - r)) - 2') £ 2 fl - ; 
11 



/=o 



(10) 



m— 1 



= S d (r)(2" - 1) + 1 + 2 6j Y 2 flrf 

i=0 

m-l 

+ (T(2 9 -< ~ r - 1) (d - S d (6 d - r) - S d (r)) - 2 r ) j] 2 e " 



!=0 

m-l 



= 1 + S rf (r)(2" - 1) + 2'(2 e "-'- - 1) {d - S d (6 d - r) - S d (r) +1)^2" 



p8j ■( 

s 1 (mod 2" - 1), 



where we apply (fTU|) to get the congruence modulo 2" - 1. 

(c) This identity follows from ^ in Proposition ^. H and © of part (b) of this theorem. 

□ 

Formulas ((5J and (J9j> of Theorem 13 . 2 1 imply that the binary representation of inverses 
modulo 2" - 1 have a nice combinatorial structure: 

Corollary 3. Let n > 1 with gcd(d, 2" - 1) = 1 and 1 < r < 9 d - 1 smc/i £/iaf n = r (mod #,,/ ). 
Set 

- t n be the binary sequence of length n representing Inv^ in); 

- Ue d be the binary sequence of length 6 d representing ^'^^Ar) 1 - 1 j • 2 d l ; 

- a r be the binary sequence of length r representing Invj (r); 

- _ r be the complementary sequence of the binary sequence of length 9 d — r repre- 
senting the Imr d (9 d —r). 

Then t n is obtained by concatenating sequences a r , bo d - r andug d as follows: 

t„=a r \ UQ d \ uy d |. . . I u ej = a r | bt) d - r \a r \...\ b 0d - r I a r . 

Example 3.1. Let d = 7. Then 9q — 3 and for every n not divisible by 3, we have 
r — 1, 2 = n (mod 3). Moreover, Inv7(l) = Inv7 (2) = 1, thus from Theorem 13.21 we 
deduce 

16 \ 2 n ~ r - 1 
Inv 7 (n) = 2"- r + — --1 



y 2 r - 1 

Suppose that r = 1, then the binary representation of Inv7 («), say t, is as follow: 
t = 1 \u\u\... \ u = 1 1 10 1 1 1 10 1 1 1 10 1 1, 

where u is a binary sequence of length 3 representing the integer 

Suppose that r — 2, then the binary representation of Inv7 («), say f , is as follow: 

t' = 01 \u'\u'\... \u =01 10|01 10| |01, 

where u' is a binary sequence of length 3 representing the integer ^ d '^ n ^^ 1 - lj- 2 ~ l — 
1. 

12 



Lemma 3.3. Let 9 d be even and let d divide 2 6 ''^ 2 + 1. Further, suppose n > 1 is such 
that d and 2" — 1 are coprime, and let 1 < r < 8 d — 1 be the least positive residue of n 
(mod d ). Then the following properties hold: 

(a) 

n — r 

wf(Inv d (n)) = wf(Inv rf (r)) + — — . 

(b) 

wf(Inv rf (6 d - r)) = wf( Inv,/ (r)) + y - r. (11) 



Proof. By Corollary [3] the binary weight of Inv ( ;(n) is 

n — r 

wt(Inv d («)) = wf(Invj (r)) + — — wf(Me rf ), 

where Ug d is the binary sequence of length representing the integer 

(d ■ Inv d (r) - 1 \ 2"" - 1 = I d ■ Inv rf (r) - 1 _ \ 2"" ;2 + 1 _ _ 



\ 2 f - 1 / d \ 2 r - 1 

By Lemma [2~B1 the weight of is 0rf /2, which completes the proof of (a). The statement 
of (b) follows from the fact that 

u e d = be d - r \a r , 

and therefore 

— = wt(ue d ) = 6 d -r- wf(Inv d (6 d - r)) + wt(Inv d (r)). 

□ 

Remark 2. Let Inverse be an algorithm for inversion modulo 2" — 1. Theorem 13.21 and 
discussions of this subsection show that for several classes of integers finding their inverses 
modulo 2" - 1 can be reduced to computations modulo 2" - 1 with n' much smaller than 
n. We summarize this observation in the following algorithm. 
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Data: positive integers d and n such that gcA(d, 2" - 1) = 1. 
Result: Inv^ («), the inverse of d modulo 2" — 1. 

1 if n — 1 or d — 1 then 

2 | return 1 

3 end 

4 if a? is even then 

5 I return 2" _1 Inv rf (n) (mod 2" - 1) 

I 2 

6 end 

7 9d <— the order of 2 modulo c/; 

8 r <— n (mod ^ ); 

9 if r ^ w then 

10 



A <- Inv d (r); 
return A • 2" r 



d-A-1 \ 2" 



1 



12 else 



13 
14 
15 
16 
17 

18 



d' <- d (mod 2" - 1); 
if then 

return Inv^ (n) 
else 

if n > 9 t i /2 then 

" [d + 1 - JH^MzI) (2 " - 1) + 1 



return = Invj («) ; 

19 else 

20 Compute Inv^(«) using Inverse; 

21 end 

22 end 

23 end 

Algorithm 1: Recursive inversion 

Algorithm Q] reduces the computation of the inverse of d modulo 2" - 1 to one of 
modulo 2'' - 1 with 1 < r < Od ■ In particular, this algorithm is effective for integers d 
with 9d much smaller than n or for integers d with known small factors. Furthermore, 
this algorithm performs good for several special integers d, like Gold's and Kasami's 
exponents considered in the next subsections. 

The next two examples compute inverses using Algorithm [TJ 

Example 3.2. Let n = 97 and d = 2 11 + 1 = 2049. Wc compute the inverse of 2049 
modulo 2 97 - 1: 

1: $2049 * — 22 

2: r <- 9 = 97 (mod 22) 

3: 9 + 97 then return Inv 2049 (9) ■ 2" + f ^ ■ Inv 2049 (9) - 1 _ \ 2^-1 
^ V 7 \ 511 / 2049 



3.1: now « = 9 and d = 2049 
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3.2: 6*2049 <-22 

3.3: r <- 9 (mod 22) then 

3.4: d' ^ 5 = 2049 (mod 2 9 - 1) 

3.5: return Invs (9) 

3.5.1: now n - 9 and d — 5 

3.5.2: 5 ^4 

3.5.3: r<-U9 (mod 4) 

2 8 - 1 

3.5.4: 1 f 9 then return 2 8 + 3 ' 



5 



2 s -1 



4: Inv 204 9 (97) = 1 2 5 + 3 ■ — - I • 2 88 + 



'2049-(2 8 + 3-2Li)-l 1 



,88 



1 



2049 



511 

Note that in this example, we do not need to call the algorithm Inverse. 

Example 3.3. Let n = 101 and d = 13. We compute the inverse of 13 modulo 2 101 - 1: 

1: 6>i3 «- 12 

2: r <- 5 = 101 (mod 12) 

3: Using Inverse we compute that the inverse of 13 modulo 2 5 — 1 is 12 
4: Inv 13 (101)= 12-2 96 + (^-ll 



31 / 13 

Note that the computation of the inverse of 13 modulo 2 101 - 1 was reduced to the one 
modulo 2 5 - 1. 

3.2. Gold's exponent 

An integer 1 < d < 2" - 2 is called Gold's exponent if d = 2 k + 1 and gcd(n,£) = 1. 
The assumption gcd(«,£) = 1 is necessary and sufficient for the mapping x i— > jc' 3 ' to be 
APN on F2». In this section we use the term Gold's exponent to refer to the integers 
d = 2 + 1 with n/gcd{n,k) odd. The assumption n/gcd(n,k) odd ensures that 2 k + 1 is 
invertible modulo 2" - 1, cf. 0, Lemma 11.1]: 

Lemma 3.4. Let n and k be positive integers. Then gcd(2* + 1,2" — 1) = 1 if and only if 
«/gcd(«, k) is odd. 

The inverses of APN Gold's exponents were considered in [l(| Proposition 5] : 
Proposition 3.5. Let n be odd, and gcd(«, k) — 1. Then 

n-l 

7*(n+l) _ 1 2 

Inv 2 * +1 (n) = = J] 2 2 ^ (mod 2" - 1) 



n + 1 

and wf(Inv 2 i + i (n)) = — - — 
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Note that the integer ^ffr; 1 is equal to the least positive residue of the inverse of 
2 k + 1 modulo 2" - 1 if and only if k = I. For k — 1 , the statement of Proposition 13.51 
reduces to Inv3(«) = — ^ — for all n odd. 

Lemma 3.6. Let k> I be an integer. The order of 2 modulo 2 k + 1 is 2 *+i = 2fc. 
Proof. Clearly, £ is the smallest positive integer satisfying 

2 k = -1 (mod 2 k + 1), 
implying that 2 ' + i = 2fc. □ 

Lemma l3"l)l and Theorem 13.21 show that to invert a fixed Gold's exponent 2 k + 1 modulo 
all 2" - 1 (n > 1) it is enough to obtain the inverses Inv 2 t +1 (r) for 1 < r < 2k. In some of 
the arguments of this section it will be enough to consider only 1 < r < k, because of the 
following easy observation: 

Claim 1. LetO<r< k. Then 2 k + 1 = 2 k ■ (2 r + 1) (mod 2 k+r - 1). In particular, the least 
positive residues of inverses of 2'" + 1 and 2 k + 1 modulo 2 k+r — 1 have the same binary 
weight. 

The following theorem summarizes the main results on the inverses of Gold exponents. 

Theorem 3.7. Let n,k > 1 with gcd(n,k) — s and n/s odd. Set r be the least positive 
residue of n modulo 2k. Then 

(a) 

Inv 2 *+i (n) = Inv 2 * + i (r) • 2 + ^— 11(2 - 1) _ . 

(b) 5et 

- &e binary sequence of length n representing Inv 2 i + i («); 

- Wk be the binary sequence of length k representing (2 +1) "*"y V f +1 — ■ — 2; 

- a r be the binary sequence of length r representing Inv 2 t + i (r). 

Then g n is obtained by concatenating sequences a r , Wk and wu as follows: 

g n = a r \w k \w k \. . .\w k \w k . 
In particular, wt(g„) — wt(a r ) + 

(c) The binary weight of Inv 2 i +1 (n) is 

n — s n - s +2 

— + 1 = ^2— 

Proof. Statement (a) follows from Theorem l3.2l (a). To prove (b), set 

(2*+l)-Inv2* +1 (r)-l , 



From the definition of Inv 2 * +1 (r), it easily follows that u < 2 . Lemma 12.31 combined 
with the part (a) of this theorem complete the proof of (b) . We prove statement (c) by 
induction on k\, where k\ - k/s. If k\ = 1 (or equivalently k = s), then n = s (mod 2s), 
since n/s is odd. Consequently, r — s. Observe that Inv 2 j + i(s) = 2 . From (b), we have 

n — s n — s 

wt (Inv 2 * + i(n)) = wt (Inv 2 . + i(5)) + — — = 1 + — ir~ ■ 

Suppose now that the statement holds for all k\ < { and take k - si. Let 1 < r < 2sl be 
the residue of n (mod 2sl). Then by (b) the problem reduces to finding the weight of the 
inverse of 2 sl + 1 modulo 2 r — 1 . Note that if r < si, then there is {' < I such that 

2 s( + j s 2 rf' + j (mod 2 r _ ^ 

Hence the inverse of 2 st + 1 modulo 2 r - 1 is equal to the one of 2 sP + 1 , and we get 

n — r 

H>/(Inv 2 rf + i(rt)) = wf (Inv 2 rf+i(r)) + 



wt (Inv 2 rf' +1 (r)) + 



r — s n 
1 + + — 

2 



2 

n — r 
2 



n — s 

To complete the proof we must prove the statement for the case r > si. Let r — si + r' . 
Then r' = s(' for some (' < t. Using Claim [TJ the binary weight of the inverses of 2 sC + 1 
and 2 st ' + 1 modulo 2 sC+se ' - 1 are equal, which completes the proof. □ 

Remark 3. The reason, why it was possible to determine the binary weight of the inverse 
of a Gold exponent in (c) of Theorem 13.71 is the fact that Algorithm [1] does not call the 
algorithm Inverse, when computing the inverse for a Gold exponent. 

3.3. Kasami's exponent 

We call integers d = 2 2k - 2 k + 1, where £ is a positive integer, Kasami exponents. 
Such exponents define APN mappings on F 2 » if and only if gcd(fc, n) — 1 . The next lemma 
summarize properties of Kasami exponents, which we need for later results: 

Lemma 3.8. Let k,n be positive integers. Then gcd(2 2 * - 2 k + 1,2" — 1) = 1 if and only 
if one of the following cases occurs: 

( a ) g cd(H.t) is odd ' that is Scd(n,2k) = gcd(n,k); 

(b) d " n k) is even, k is even and gcd(£, n) = gcd(3£, n). 

Equivalently, gcd(2 2i - 2 k + 1, 2" - 1) = 1 if and only if one of the following cases occurs: 

• n is odd and k > 1 is arbitrary 

• n = 2 r a and k — 2 r b, where a is odd and 1 < r. 

• n = 2 r 3"a and k = 2 s 3 v b, where b is odd, 1 < s < r and < u < v. 
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To prove this lemma above, we need to recall some propositions. 
Proposition 3.9. Let k be an integer. Then 

gcd(2 2t -2* + l,2* + l) = ( I V k * seven ' 

I 3 otherwise. 

Proof. 

gcd(2 2 * - 2*+ 1,2*+ 1) = gcd(2 2 * - 2 t+1 ,2* + 1) 

= gcd(2* +1 (2* _1 - 1),2* + 1) 

= gcd(2^ 1 - 1,2*+ 1) 

_ ( 1 if k is even, 

- | 2 £ cd(k - k - l) + 1=3 otherwise. 

Here we apply lemma l3"^fl □ 

Proposition 3.10. For any even integer n and 2k < n, if 

gcd^ 2 * - 2* + 1, 2" - 1) = 1 

then k is even. 

Proof. Suppose that k is odd. So, from Proposition ^. 91 we have that 

gcd(2 2 *-2* + 1,2*+ 1) = 3 
But 3 divides gcd(2" - 1,2* + 1) because n is even. 

It implies that 3 divides gcd(2 2,: - 2* + 1, 2" — 1), a contradiction. □ 

Now we can prove Lemma 13.81 

Proof of Lemma Iff.ffl Let d — 2 2k - 2 k + 1 . We want to determine when gcd(d, 2" - 1) = 1 . 
The first condition (i) means that 

gcd(2*+ 1,2"- 1) = 1 

(from (|3~i|)). Then we deduce that gcd(2 /<: + 1,2" - 1) = 1 for all odd r. In particular, this 
holds for r — 3. Using 

(2* r + l)(2 2 *-2*+l) = 2 3 * + l, 

we conclude that in this case gcd(c/, 2" — 1) = 1. Note that (i) is satisfied for any odd n. 

Now, we assume that n/gcd(n, k) is even; so « is even. From Proposition 13.101 we 
know that gcd(c/, 2" - 1) ^ 1 for odd k. So k must be even. 

Again from (|3.4p . we have in this case 

gcd(2* + 1,2" - 1) = 2 gcd *" ) + 1 = e, e > 3, 

and similarly 

gcd(2 M + 1,2" - 1) = 2 gcd(3 *' n) + 1 = u, 

where e divides u since 2 3k + 1 = (2* + l)d. But, from Proposition 13.91 we have gcd(c/, 2 k + 
1) = 1 since k is even. Hence gcd(rf, 2" — 1) = 1 if and only if u = e or, cquivalcntly, 
gcd(3£, «) = gcd(£, «), completing the condition (ii). □ 
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Proposition 3.11. Let k > 1 be an integer. Then the order of 2 modulo the Kasami 
exponent 2 2k — 2 k + 1 is 6j — 6k. 

Proof. It is enough to show that 3k is the least positive integer satisfying 2 3k = -1 
(mod 2 2k -2 k + l). The congruence 2 3k = -1 (mod 2 2k - 2 k + 1) holds, since clearly 2 2k -2 k + 1 
divides 2 3k + 1. Let an integer < cr < 3k be such that 2 ,T = -1 (mod 2 2k - 2 k + 1). Then 
cr > 2k - 1 , since 1 < 2 l < 2 2k - 2 k for < / < 2k - 1 . Hence suppose cr - 2k + i with 
< i < k. Note that 

2 2k+i s _ ^ (mod 2 2^ _ 2* + L ) 
To complete the proof it remains to observe that 2'{2 k - 1) < 2 2k - 2 k if < ; < k. 

□ 



Theorem 13 . 2 1 implies for the Kasami exponents: 

Theorem 3.12. Let n,k > 1 with gcd(2 2t - 2 k + 1, 2" - 1) = 1. Let r 6e the least posith 
residue of n modulo 6k. Then 

(a) Inv 2 a_2 i +i ( n ) i- s equal to 

, ^ oH-r , / (2 2t -2^ + l)-Inv 2 : t _ 2t+1 (r)-l \ 2'-' -l 
Inv 2 2i_ 2 » + i (r)-2 + — — 1 



/ 2 2k - 2 k + 1 
(b) Let 

- g„ be the binary sequence of length n representing Inv 2 2t_ 2 i +1 (n); 

- Wik be the binary sequence of length 3k representing 

<{2 2k - 2 k + 1 ) ■ Inv 2a _ 2t+1 (r) - 1 _ \ _ k 
2 r - 1 / 

- a r be the binary sequence of length r representing Inv 2 2i_ 2 i +1 (r). 
Then g n is obtained by concatenating sequences a r , w^k and w^t as follows: 

gn = a r \w 3 k\W3k\- ■ ■ |W3*I*3*. 

In particular, wt(g„) — wt(a r ) + 

Proof. The statement follows from Theorem 13.21 and Lemma 12.31 similarly to the proof 
of Theorem K7\ □ 



Example 3.4. Consider the Kasami exponent 13 = 2 4 - 2 2 + 1. Lemma T3. 81 shows that 
gcd(13,2" - 1) = 1 if and only if n ^ (mod 12). Then using Theorem 13. 121 we get: 

• if n = 1 (mod 12) then 

2"- 1 - 1 



Invi 3 (n) = 2"- 1 + 11 



13 



since Invi3 (1) = 1. The binary weight of Invi3 (n) is (n + l)/2. 
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• if n = 2 (mod 12) then 

2"~ 2 - 1 
Invi3 (») = 2"- 2 + 3 • 13 

since Invi3 (2) = 1. The binary weight of Invi3 («) is n/2. 

• if n = 3 (mod 12) then 

Invia («) = 6 • 2"- 3 + 10 • 2 " 1 

since Inv^ (3) = 6. The binary weight of Invn (n) is (n + l)/2. 

• if n = 4 (mod 12) then 

2«-4 _ i 

Invia («) = 7 • 2"- 4 + 5 • 

since Invi3 (4) = 7. The binary weight of Inv^ (n) is (n + 2)/2. 

• if n = 5 (mod 12) then 

Inv 13 (w) = 12-2"- 5 + 5- ^^ 

since Inv^ (5) = 12. The binary weight of Inv^ (n) is (n - l)/2. 

• if n = 6 (mod 12) then 

Invia in) = 34 ■ + 6 • 2 " ^" 1 
since Inv^ (6) = 34. The binary weight of Inv^ (n) is (« - 2)/2. 

Then using identity p.3p . we obtain that: 

• if n = 7 (mod 12) then the binary weight of Invn (n) is (n- 1)/2, since wf(Invi3 (7)) = 
3. 

• if n = 8 (mod 12) then the binary weight of I11V13 («) is («+2)/2, since wf(Invi3 (8)) = 
5. 

• if n = 9 (mod 12) then the binary weight of I11V13 («) is (n+ 1)/2, since wf(Invi3 (9)) = 
5. 

• if n = 10 (mod 12) then the binary weight of Inv^ («) is n/2, since wf(Invi3 (10)) = 5. 

• if n = 11 (mod 12) then the binary weight of Invi3 («) is («+l)/2, since wf(Invi3 (11)) = 
6. 

Open question: Is it possible to express the binary weight of the inverse of Kasami's 
exponent 2 2k - 2 k + 1 modulo 2" - 1 in terms of k and nl 

Tables contain the weights of the inverses for the Kasami exponents defined with 
k = 3,4,5. Some of the values in these tables follow from the results of Proposition l3.13l 
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r 


1 


3 


5 


7 


9 


11 


13 


15 


17 


wt(Inv d (r)) 


1 


1 


2 


4 


2 


6 


6 


7 


9 



Tabic 2: Weights of the inverse of d = 2 6 - 2 3 + 1 modulo 2 r - 1, 1 < r < 17 



r 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


wf(Inv</(r)) 


1 


1 


2 


1 


3 


2 


4 


5 


5 


3 


4 


2 


r 


13 


14 


15 


16 


17 


18 


19 


20 


21 


22 


23 




wf(Inv</(r)) 


5 


5 


8 


9 


9 


8 


10 


9 


11 


11 


12 





Table 3: Weights of the inverse of d = 2 s - 2 4 + 1 modulo 2 r - 1, 1 < r < 23 



Proposition 3.13. Let k,n>\ and gcd(2 2 * - 2* + 1,2" - 1) = 1. 
ffflj If n = b (mod 6£) t>l a divisor of k, then Inv 2 2i_2*+i = 1 fflrlc ^ 

2*(2* - 1) \ 2"- k/b - 1 



Inv M+1 («) = 2""^ + (^3^ " l) 



2 2 * - 2 k + 1 ' 



(7>; Inv 2 2 L2i+1 (^-l) = %i. 
(c) Inv22A-_2*+i (k + 1) = 2 3 ~' 



(dj Inv 2 2L 2 ' + i (2/t) = (2* + 2) ■ + 1. 

fe^ If n = 3k /b (mod 6£) ; where b > 1 is a divisor of k with gcd(Z?, 3) = 1. Let £>' 6e the 
least positive residue of b modulo 3, then Inv22*_2' + i (3k/b) — 2 3 ^ fa ~' + 2 h ' k / b ~ l . 

(7J Inv 2 2*_ 2 * + i (4fe) = (1 + 2 k+l + 2 2k + 2 3k+l ) ■ %± + 2 k . 

(g) Inv 2 2L 2 A + i (5k) = 2 5k - 2 4k + 2 2k + 2 k - 1 = 2 2t (2 4t - 2 2t + 1) (mod 2 5k - 1). 

(h) Inv 2 2L 2 A + i (6k - 1) = (2 3k - l)(2 k + 1). 

Note that in cases (c)-(k) of the above proposition n depends on k, and hence we are 
in a similar situation discussed in Section [2j 

For any b dividing k and being coprimc to 5, we conjecture that Inv22i_2' + i (5k/b) is 
congruent to a Kasami exponent, that is, Inv 2 2i_2 i +i (5k /b) = 2"(2 2v — 2 V + 1) (mod 2 5k ^ h - 1) 
for some integers u and v. 

Finally we want to remark that in some cases the computation of inverses for Kasami 
exponents can be reduced to the one for the Gold exponents. 



r 


1 


3 


5 


7 


9 


11 


13 


15 


17 


19 


21 


23 


25 


27 


29 


wt(Inv d (r)) 


1 


2 


1 


3 


5 


5 


7 


2 


9 


9 


11 


11 


11 


14 


15 



Table 4: Weights of the inverses of d = 2 W ~ 2 5 + 1 modulo 2' ' - 1, 1 < r < 29 
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Claim 2. Let the positive integers k, n be such that — ^ is odd. Then both 2 k + 1 and 
l? k + 1 are coprime to 2" — I, and therefore 

Inv d («) = (2* + l)Inv 2 « +I (n) (mod 2" - 1) 

holds. 

3.4- 2 k - 1 exponent 

In [l[ it is shown that the power mappings with exponents 2 k — 1 have interesting 
properties for cryptological applications. It is well known that gcd(2" — 1,2* — 1 ) = 
2S cd (".*) _ l 5 anc l therefore 2 k - 1 is invertiblc modulo 2" - 1 if and only if n and k are 
coprime. Moreover this indicates also that the calculation of the inverse of 2 k - 1 modulo 
2" - 1 reduces to the one of k modulo n. 

Theorem 3.14. Let n,k>2 be coprime integers. Then 

2 k s _ i 

Inv 2 *_i(n) = - k _ - (mod 2" - 1), 

where s is any positive integer satisfying s ■ k = 1 (mod ri). More precisely, if k~ is the 
least positive residue of the inverse of k modulo n, then 

k-'-\ 

Inv 2 *_i(rt)= J] 2 ki (mod " ) . (12) 
Proof. Let s • k — 1 - n ■ m. Then 

(2 k - 1) • 2 ^ ~ 1 = 2 hs - 1 = 2"" ,+1 -1 = 1 (mod 2" - 1). 
The second statement follows if we put s — k~ l . □ 



4. Conclusion 

This paper is motivated by a problem to find explicitly the inverses of the known 
APN exponents. We succeed this for Welch and Dobbertin exponents. The case of the 
exceptional APN exponents, that is of the Gold and Kasami exponents, is more difficult 
as we show in Section [3] For the Gold exponents 2 k + 1 , we found the binary weights of 
their inverses modulo 2" — 1 in terms of n and k. For the Kasami exponents 2 2k — 2 k + 1 , we 
showed that the binary weight of the inverses is uniquely defined by the binary weight of 
its inverse modulo 2 r — 1, where r is the least positive residue of n modulo #2 2,i -2'+i — fife- 
Presently, it is not clear to us whether we may expect more explicit results on Kasami 
exponents than those given in Theorem 13. 121 

Generally, for a fixed positive integer we considered the function Inv^ , which maps 
n to the least positive residue of the inverse of d modulo 2" - 1, where d is a fixed 
positive integer. We are not aware whether the function Inv^ was studied before. We 
think that a better understanding of Inv f / in general, as well as for special values of d, 
is a fundamental problem deserving a further development. In particular, it would be 
interesting to see if there are any connections with the algebraic feedback shift register 
sequences (see 0]) yielding new insights on the problem. 
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